On 15 April 2019, the Administrative Court held that Sussex Police had breached the data protection rights of a 16 year old girl by disclosing details of her vulnerability to child exploitation to the local Business Crime Reduction Partnership. The girl had been excluded from a number of local businesses by the Crime Reduction Partnership and the police had an agreement to share information with the Partnership concerning suspected offenders.
Although Sussex Police had “strongly disputed” sharing any such data with the Partnership, Mrs Justice Lieven DBE held that its denial was “difficult to accept” in light of emails which made it “plain” that information about the girl’s vulnerability had been disclosed. Moreover, the judge found, there was “no evidence that the Defendant properly weighed up the impact on the Claimant of sharing this information, or whether there were sufficient safeguards to ensure against onward transmission. In particular there is no evidence that the Defendant addressed its mind to the particular importance of not sharing information of this nature about a child”.
Mrs Justice Lieven also found that Sussex Police had failed to provide “full and fair disclosure of relevant material” concerning its dealings with the Crime Reduction Partnership, and that it was “virtually beyond doubt that there is further relevant material which still has not been disclosed”.
The case is one of the first cases under the Part 3 of the Data Protection Act 2018 concerning the processing of law enforcement data by a police force. Notably, processing of this type falls under the scope of the Law Enforcement Directive rather than the GDPR.
Eric Metcalfe acted for the Claimant, instructed by Rachel Etheridge of Matthew Gold & Co Solicitors.